Certified Cybersecurity Maturity Model Certification (CMMC) auditors know firsthand how identity management is a critical linchpin in maintaining security. When assessing a Defense Industrial Base (DIB) supplier's compliance with CMMC controls, identity and access management (IAM) is often one of the areas where they find significant vulnerabilities. The stakes are high: a misstep here could compromise sensitive Controlled Unclassified Information (CUI) and, ultimately, national security and may jeopardize a company’s reputation. And additionally, DIB revenues can suffer if they fail the audit and do not qualify for lucrative contracts.

In this blog, we share an auditor’s concerns and insights when evaluating a typical DIB’s identity solution, hoping to help others understand how to meet the CMMC requirements more effectively to protect against cyberattacks as well as land and maintain government contracts.

When the CMMC auditor reviews a company's identity solution, they start by checking whether there is a defined and centralized framework for managing digital identities. A CMMC control requires companies to establish an identity and authentication system, ensuring that only authorized individuals have access to systems containing CUI.

Auditors often see DIBs using a patchwork of systems—different solutions for different departments or even multiple solutions that don’t communicate well with each other. This fragmented approach can lead to significant gaps.  The concern here is twofold:

1. Lack of a unified approach: Fragmentation means administrators may struggle to effectively monitor, control, and manage access across the organization.

2. Potential for human error: With disparate systems, it becomes easier for users to exploit identity loopholes or for administrators to make mistakes in provisioning or de-provisioning access.

Despite years of emphasis on strong passwords, many organizations still struggle to implement adequate password policies. This CMMC control requires authentication of users, processes, or devices before allowing access to organizational information systems.

One of the key points is whether the supplier has implemented the following:

• Strong, complex password policies (aligned with NIST standards).
• Password management solutions to prevent reuse.
• Monitoring for password breaches or compromised accounts.

Unfortunately, some organizations rely solely on passwords without sufficient secondary authentication methods, leaving their systems vulnerable to brute-force attacks or credential stuffing.

Recommendation from the field: Use MFA everywhere it is required—and wherever possible, including for all remote access and administrative accounts.

MFA has become a foundational requirement for protecting sensitive information, and it's explicitly stated in the CMMC practices. The presence of MFA reduces the risk of credential theft and unauthorized access, especially for privileged users in local systems..

Auditors often find gaps in how MFA is deployed. For instance, a supplier might use MFA for remote access but not for local systems, or they may not enforce it uniformly across all users. This piecemeal deployment puts them at risk of non-compliance, and worse, exposes critical assets to attack.

A thorough MFA deployment should:

1. Cover all systems containing CUI: Ensure that access to any system storing or transmitting CUI requires MFA, no matter where the access is initiated.

2. Apply to privileged accounts: System administrators, developers, and those with elevated privileges should always be required to use MFA.

One of the primary concerns during an audit is whether the principle of least privilege is being properly enforced. This CMMC control requires that users only have access to only the information necessary to perform their jobs. However, many auditors encounter excessive permissions granted to employees. While this might seem like an efficiency move to some, it creates unnecessary risk.

Many organizations fail to regularly audit user access and remove unnecessary privileges. Identity creep, where users accumulate permissions over time without them being removed, is a common issue. This not only violates CMMC controls but also expands the attack surface, making the organization more vulnerable to insider threats or compromised accounts.

To meet this control:

1. Implement role-based access controls (RBAC): Assign roles based on job functions and ensure that access rights are consistently applied across the organization.

2. Conduct regular access reviews: Ensure user privileges are reviewed and adjusted regularly, especially after role changes or terminations. 

Identity management isn't just about setting up controls and leaving them in place. Continuous monitoring and auditing of identities are essential to ensure ongoing compliance. The CMMC control, which focuses on the need for auditing and monitoring the use of privileged access, ensures that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

A robust identity solution should:

• Log all access events, including successful and failed login attempts, changes to privileges, and system access by privileged users.
• Alert on suspicious activities, such as login attempts from unusual locations, excessive failed login attempts, or privilege escalation requests.

Unfortunately, during audits, auditors often find that while logs may exist, they aren’t actively monitored or reviewed. This oversight means that threats could go undetected for long periods, allowing malicious actors or compromised accounts to operate unchecked.

Identity and access management is a critical element of CMMC compliance, but it’s also one of the areas where organizations struggle the most. The good news is that with the right tools and policies, these challenges can be addressed effectively.

From implementing strong password policies and enforcing MFA to applying the least privilege principle and continuously auditing access, each of these elements plays a crucial role in securing your systems and achieving compliance. Auditors urge DIBs to take a proactive approach—waiting until an audit to address identity management issues is too late both to land contracts and to ensure security.

Identity management isn't just about meeting a requirement; it’s about protecting national security by ensuring that the right people—and only the right people—have access to sensitive information. By acting today, you can secure your future—and lessen the stress of a CMMC audit.

For more information about all compliance and how to optimize your IAM solution, check out our CMMC brief here.